Slashdot Mirror


X-Force Changes Vulnerability Disclosure Policy

BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""

2 of 98 comments (clear)

  1. what will likely happen by EEgopher · · Score: -1, Flamebait

    my spam and virus filters will block all 30-day communications from X-Force, and we will all be doomed.

    --
    hi, I like pancakes -.-- -.-- --..
  2. A more responsible disclosure policy is needed by DickBreath · · Score: -1, Flamebait

    We need a more responsible disclosure policy.

    While I commend X-Force's policy for trying to be responsible, I would suggest that they ammend their policy in the following manner.

    If the vulnerable systems are made by Microsoft then the vulnerability with a working exploit should be disclosed immediately.

    --

    I'll see your senator, and I'll raise you two judges.